Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Published byEustacia Charles Modified over 8 years ago

Similar presentations

Presentation on theme: "1 CIS 5371 Cryptography 9. Data Integrity Techniques."— Presentation transcript:

1 1 CIS 5371 Cryptography 9. Data Integrity Techniques

2 Asymmetric techniques, I Digital signatures With PK encryption, Alice can use her private key to decrypt a message and the resultant “ciphertext’’ can be “encrypted’’ to recover the message. This ciphertext can serve as a Manipulation Detection Code (MDC). The verification of a MDC can be performed by anyone since the public key is available to anyone.

3 Example of an MDC based on RSA

4 Digital signature schemes

5 The RSA signature scheme

6 Security issues for Digital Signatures Active attacks digital signatures Adaptive Chosen-Message Attack (CMA): –The attacker chooses adaptively a number of messages and obtains the corresponding signatures: the task of the attacker is successful if he can sign a (new) target message. Existential forgery under CMA: –The adversary can compute one (new) message and its signature. With RSA the algorithms ( Sign,Verify ) form a one-way trapdoor pair. This means that it is easy to compute valid “message-signature” pairs (by first selecting a signature and then finding the corresponding message). However, computing message-signature pairs should be hard. A usual way to prevent this is add redundancy to the message.

7 Rabin signatures Signature setup: Same as RSA Public key = (n,b), Private key = (p,q). Signature generation: Exercise Signature Verification: Exercise

8 The ElGamal signature scheme

9

10 Toy example

11 The security of ElGamal signatures If the DL problem is feasible then ElGamal signatures can be forged. The converse may not be true. The exponent k must be private cannot be used twice best: chosen at random.

12 The Digital Signature Algorithm

13 The Digital Signature scheme

14 Provable security Forging signatures We must how that given a message it is hard to forge a signature. Is this enough? There are several attacks we already discussed: Existential forgery Adaptive Chosen-Message Attacks What is really needed is a formal security model for digital signatures, that allows for all possible threat scenarios and all protocol aspects. One such model is the Random Oracle model.

15 Asymmetric techniques, II Data Integrity without source Identification Optimal Asymmetric Encryption Padding RSA-OAEP

16 RSA with OAEP Key Parameters Let (N,e,d,G,H,n,k 0,k 1 )  U Gen (1 x ) satisfy: (N,e,d) are RSA parameters |N| = k = n+k 0 +k 1, with 2 k 0, 2 k 1 negligible quantities G, H hash functions with:  G: {0,1} k 0  {0,1} k-k 0, H: {0,1} k-k 0  {0,1} k 0 n is the length of the plaintext (n, k 0,k 1,G,H,e) is Alice’s RSA public key, (n, k 0,k 1,G,H,d) is Alice’s RSA private key.

17 RSA with OAEP Encryption Let m  {0,1} n b e the message to be sent to Alice. Bob (Malice ?) performs the following: 1..r  U {0,1} k 0 ; s  (m || 0 k 1 )  G(r) ; t  r  H(s) 2..If s || t  N then goto 1 ; 3..c  (s || t) e.

18 RSA with OAEP Decryption. Upon receipt of the ciphertext c Alice performs: 1..s || t  c d (mod N) satisfying |s| = n+k 1, |t| = k 0 2..u  t  H(s); v  s  G(u) 3. Output m if v = m || 0 k 0, else reject.

19 RSA with OAEP Security RSA with OAEP provides data-integrity, but not origin integrity. It can be shown that RSA-OAEP is secure against CCA2 attacks in the Random Oracle Model.

20 The Random Oracle Model (ROM) Security is defined in terms of a game involving two parties: the system (Simon) and the adversary (Malice). All authorized parties of the system are represented by random oracles (Alice, Bob, …) Access to any party is via its oracle. Access to an oracle G is by a query a, to get the response G(a). The system of oracles is managed by Simon Simulator (who arranges that the oracles simulate the behavior of the real parties).

21 The Random Oracle Model There are two phases: A training phase in which Malice is allowed to make queries (adaptively) and get responses. A test phase in which Malice must answer 0 or 1 as his educated guess to a challenge by Simon. The adversary Malice wins if at the test phase he can distinguish with probability better than 0.5+  between two strings. e.g. if a public-key encryption system is analyzed, the adversary must distinguish between the ciphertexts c 1,c 2 of two new messages m 1, m 2.

22 The Random Oracle Model The system is secure if Malice cannot win. The type of queries the adversary can make is determined by the threat model used. in CCA2 the adversary can adaptively chose ciphertexts an get the corresponding plaintexts.

23 One-time signatures Lamport signature scheme Let k be an integer, P = {0,1} k. Suppose that f : Y  Z is a one-way function, and A = Y k. Let y i,j  Y be chosen at random, 1 ≤ i ≤ k, j =0,1, and z i,j = f (y i,j ), Let K consist of the 2k pairs : (y i,j, z i,j ). The y’s are the private key, the z’s the pubic key.

24 Lamport signature scheme  Signing Let x = (x 1,x 2, … x k )  P be a message. For K = (y i,j, z i,j ) define sig K (x 1,x 2, … x k ) = (y 1x 1,y 2x 2, …, y kx k ).  Verification ver K ((x 1,x 2, … x k ),(y 1x 1,y 2x 2, …, y kx k )) = true f(y i ) = z i x i, 1 ≤ i ≤ k

25 The security of the Lamport signature scheme The security of the Lamport signature scheme can be proven if we assume that: The one-way function is bijective, and that The public key consists of distinct elements.

Download ppt "1 CIS 5371 Cryptography 9. Data Integrity Techniques."

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
7. Asymmetric encryption-

7. Asymmetric encryption-
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Identity Based Encryption

Identity Based Encryption
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Similar presentations

Ads by Google